package com.sakura.demo.config;

import com.sakura.demo.filter.JwtAuthenticationTokenFilter;
import com.sakura.demo.handler.AnonymousAuthenticationHandler;
import com.sakura.demo.handler.CustomerAccessDeniedHandler;
import com.sakura.demo.handler.LoginFaliureHandler;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)// 开启方法权限认证
public class SecurityConfig {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    private JwtAuthenticationTokenFilter jwtAuthenticationTokenFilter;
    // 拒绝访问处理
    @Autowired
    private CustomerAccessDeniedHandler customerAccessDeniedHandler;
    @Autowired
    private LoginFaliureHandler loginFaliureHandler;

    // 匿名访问处理
    @Autowired
    private AnonymousAuthenticationHandler anonymousAuthenticationHandler;
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/user/login")
                        .permitAll()
                        .anyRequest()
                        .authenticated()
                )
                .formLogin(form -> form // ✅ 推荐的方式
                        .loginPage("/login")       // 自定义登录页（可选）
                        .permitAll()               // 登录页无需认证
                )
                .csrf(csrf -> csrf.disable()); // 可选，开发时禁用 CSRF

        http.addFilterBefore(jwtAuthenticationTokenFilter, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.class);

        http.formLogin(form -> form.failureHandler(loginFaliureHandler));

        http.exceptionHandling(exception ->{exception.accessDeniedHandler(customerAccessDeniedHandler).authenticationEntryPoint(anonymousAuthenticationHandler);});
        return http.build();
    }

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception{
        return configuration.getAuthenticationManager();
    }
}
